[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: re. name cert meaning
-----BEGIN PGP SIGNED MESSAGE-----
At 10:20 AM 2/13/98 -0800, Curtis Yarvin wrote:
>>
>> At 01:46 PM 1/25/98 -0700, Bryan Ford wrote:
>> >Basically, as Curtis said, a name cert is really just a statement
>> >that "principal Y is hereby authorized to use name X in my namespace."
>>
>> to nit pick:
>>
>> I believe the SDSI name is better defined as "X is a label by which I (the
>> issuer) refer to principal Y (or some set of principals $Y_i$)".
>
>These may be two different things.
>
>When I said that, I was talking about X.509 naming, not SDSI
>naming. Obviously, Carl's definition of SDSI naming is
>correct, but X.509 has a different property: it refers to
>names that have fixed meaning in the physical world.
>
>An SDSI name seems to me more like a pointer, a way of
>describing a keyholder or keyholder set that is more
>convenient than directly including a public key. Having a
>certain SDSI name is not a privilege in and of itself.
>Being able to claim that you are the person referred to by
>an X.509 name is.
I look at X.509 names as just another formatting for SDSI names. That is,
one can form
(name <509-root-key> <CA-name-1> <CA-name-2> ... <leaf-name>)
and some have proposed that X.509 names need to be in that form, in order to
be completely unambiguous. That's a SDSI name.
The place where I believe we depart strongly from the X.509 community is
that we have looked at the idea of a name with a fixed meaning in the
physical world and found it wanting. In particular, it just doesn't work --
and runs the danger of introducing security flaws.
Of course, anyone can build a globally unique name and we sometimes need
them. We have them in SPKI/SDSI -- the public key or its hash.
- Carl
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3
iQCVAwUBNQgEbxN3Wx8QwqUtAQGAGwP/WJEQxLoPclGHBXtmWG80kTgmNR9KiSIK
9g8KqHr12wl3FoWwopUx3hMPzFHsd0ABe7L4LSbotXeKJTc8KAploCjmWTJnJQ+L
XfMN2zwCMoIbLDr+5ZZHgDd0rAILJxWKkR7CVuVh3bW3jzFUR+FfD5ufk0xKvqlG
gWtlTrORhXg=
=4H3o
-----END PGP SIGNATURE-----
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
References: